At a conference I attended not long ago, part of the conference package I received was a “free” USB drive from one of the vendors. Every attendee received one of the drives.

Being the information security person that I am, “free” USB drives make me wary. Marketers also make me wary. So, I looked at the instructions included with the USB drive, and found the following:

This USB drive is backed by iClick’s lifetime replacement warranty. To help identify authenticity the USB drive may connect to iClick servers for verification when it is plugged into a computer connected to the Internet. No personal information will be sent or recorded other than the IP address.By utilizing this USB drive you consent to allow this possible server connection.

So, from a security perspective, let’s take this apart: To help identify authenticity… How does connecting to their Internet servers identify anything about the USB drive? This appears to be a blatant falsehood to justify the next action, …(may) connect to the Internet. How many times will it connect to the Internet? Every time you plug it in? We don’t know.

No personal information will be sent or recorded other than the IP address. Can we trust this statement? Given the previous statement, should we believe this? How do we know? Not without some security testing. If it connects more than once, showing the IP address, how long is that information stored? Does it connect to a web page automatically that may have malware hidden in the HTML code?

The final statement on the “instructions?” By utilizing this USB drive you consent to allow this possible server connection. How many people read “instructions” after getting a “free” USB drive? Everyone “knows” you just plug it in to your USB port on your computer. So we’ve “consented,” i.e., removed any legal action against this “possible server connection.” We can just eliminate “possible” here, I would suspect.

Can we remove this software? According to the iClick website, they can “lock” the files on the USB drive so they won’t be deleted. I don’t know if the drive can disallow formatting but frankly, this went in the trash.

If the C-level and Board members of your company are concerned about the privacy and security of their business and personal data, you might want to educate them about the privacy policy of a very frequently used mobile device: the iPhone.

According to this article from the LA Times business blog, Apple recently changed their privacy policy, (which users must agree to in order to buy anything on iTunes) to acknowledge that they are storing location data for “partners and licensees.” In fact, they have been storing it since 2008.

Last week the Chief Information Officers Council, a government body established by legislation in 1996, comes a Privacy Recommendations Paper from the Council to all government departments and agencies. So this paper carries a little extra clout.

Their paper (available here) succinctly describes the privacy risks of using cloud computing should government agencies and departments consider their use. I think these recommendations would be equally well used in business considerations, especially if companies store confidential personal records.

Here are some highlights:

The purpose of this paper, and of privacy interests in general, is not to discourage agencies from using cloud computing; indeed a thoughtfully considered cloud computing solution can enhance privacy and security. Instead, the purpose is to ensure that Federal agencies recognize and consider the privacy rights of individuals and those agencies identify and address the potential risks when using cloud computing.

The paper lists the most common risks, and I’ve edited the risks to indicate a business framework rather than a federal department/agency:

Risks Include:• The permitted use for the information the Cloud Computing Provider (“CCP”) collected from the business entity may not be clearly defined in the Terms of Service/Contract, enabling the CCP to analyze or search the data for its own purposes or to sell to third parties.
• The data could become an asset in bankruptcy, particularly if the Terms of Service or contract does not include retention limits.
• Depending on the location of the CCP’s servers or data centers, the CCP might allow or be required to permit certain local or foreign law enforcement authorities to search its data pursuant to a court order, subpoena, or informal request that would not meet the standards of the Privacy Act of 1974.
• The individual providing the information has no notice that explains that his or her information is being stored on a server not owned or controlled by the business entity. Thus, when the individual person attempts to access his or her data, he or she is unable to do so and is left without proper redress.
• The data stored by the CCP is breached and the CCP does not inform the business or any of the individuals affected by the incident.
• The CCP improperly implements regulatory requirements for the business entity (i.e., finds them cost-prohibitive or cumbersome) and thus inadvertently allows the data it is storing in the cloud to be viewed by unauthorized viewers.
• The CCP fails to keep access records that allow the business entity to conduct audits to determine who has accessed the data.
• The business entity cannot access the data to perform necessary audits. The data has been moved to a different country and a different server and the government suffers a loss in reputation and trust.
• The business entity fails to keep an up-to-date copy of its data. The CCP accidentally loses all of the business’s data and does not have a back up.

It’s also worth noting that the paper referenced specific legislation that also is applicable to business
health care and education entities, such as HIPAA. A CCP should assume that a business associate agreement is required if PHI is being transmitted and stored on a cloud.

I highly recommend a thorough read of the paper; it offers a good framework for a privacy assessment prior to entering into a contract with cloud computer providers. Besides, it’s only ten pages long.

Would you publish a digital photograph from your smart phone on the Internet if it could tell everyone where you lived, or where you were when you took it?

Unless GPS capability is specifically turned off (for phones that have it – think iPhone, Palm and Blackberry) photographs that are posted on the web from a smart phone automatically have a geo-tag embedded in the metadata (which means it’s invisible to the viewer) of the photograph. The tag includes the latitude and longitude where the photograph was taken. i.e., if you’re tweeting about something, say the great dessert you just had, and send out a picture to your envious friends – unknown people can discover quickly where you are.

My first thought was, “What’s the big deal? So I’m having a fancy ice cream in SoHo.”

Then I read on: researchers Ben Jackson and Paul Vet did a research project examining information from publicly posted tweets and photos to demonstrate that it is easy to identify where a specific person sleeps, works, and potentially engages in private activities. Software that edits photographs and metadata is frequently freeware and easily available.

As a “proof of concept,” they’ve created a website ICanStalkU.com to educate people about how much information they are releasing onto the Internet. The site actually does a LIVE demo of CURRENT tweets and pictures, with linkage to a Google map.

Both Jackson and Vet separately presented their research at the Hackers On Planet Earth (HOPE) conference in New York City last month to demonstrate just how easy it is to track a single individual using just a few pieces of metadata attached to their tweets and/or online photos.

Consider what business information or inadvertent personal information might be revealed from pictures from a smart phone – even if they are never uploaded. Given how many users are carrying around iPhones and sending pictures – this has an enormous privacy implication.

Their website does contain instructions on how to turn GPS off for the iPhone, Palm and Blackberry – on other phones you may not have that option. The government is actually considering making GPS a mandatory requirement on cell phones in case of 911 calls. It’s not a big leap to monitor more than that.

I received some entertaining feedback on my previous blog, so I thought I’d share some of the comments I’ve heard over the last few years about business reputations:

1. “My data is outsourced (hosted, in the cloud, etc) at a third party company. If they lose my data, or get broken into, it’s their reputation problem.” No matter who loses it, it’s still your data – or to put it more honestly, your customers‘ data. If you outsourced storage, you’re responsible, not the vendor. You can’t outsource responsibility (see Eigen’s Rules of Thumb).

2. “I have a contract with my vendors to secure my data. They signed off that they have secure practices, so I don’t need to be concerned. I’ll sue the heck out of them if they lose it!” The lawsuit is likely to be much more expensive than it’s worth. Audited them lately?

3. “It will go away soon – customers have short attention spans, because there’s so many data breaches going on these days.” I live in Maine, where I still hear people grousing about having to change credit cards due to Hannaford’s data breach. It’s a classic: “The only thing a customer remembers more than good service is bad service.” News outlets tend to put the “company name” and “data breach” together. Much further down is the “third party vendor” part.

4. “We don’t need to encrypt our laptops. There’s only a few of us and we never take data off site.” If you want to know just how many laptops were involved in data breaches, go to the privacyrights.org and run a search. From 2009 through mid 2010, there were 154 publicly announced breaches (who knows how many more NOT announced) for a total of 87,094,382 individual records lost and/or stolen from unencrypted laptops “protected by a password.”

The expression “Going viral” has meaning here. On the Web, a customer who’s had their data exposed might not only tell 10 people, they might also write a complaint on their blog, post comments on other people’s blogs, write a negative review of your business on a shopping web site, AND criticize you on forums and message boards. Customer expressions of dissatisfaction have outpaced any ability to control negative perception on the Web.

The example that comes to mind is “United Breaks Guitars.” Check it out. Nine million views and counting. I watched it one more time – it’s pretty funny.

In a discussion with a client recently, we were talking about reputation as a “risk” to his business. He didn’t seem to think it was a long term issue, because so many other issues capture public consciousness so quickly. This got me thinking about “reputation risk” as a concept. I realized that the idea needs some updating.

So here’s the formal definition: Reputational risk can be defined as the risk arising from negative perception on the part of customers, counterparts, shareholders, investors or regulators that can adversely affect an organization’s ability to maintain existing, or establish new, business relationships and continued access to sources of funding.

As far as I’m concerned the first and the last are the most serious – customers and regulators.

Although no one likes to think about being on the front page of their newspaper with the company name attached to “data breach,” a newspaper does come out the next day with other things to announce. News reporting tends to be intense at first, then fade away. This lends itself to my client’s point of view.

There’s newspapers, and then there’s Google.

Consider the plight of Hannaford. A Google search of the name leads me to the bottom of the page, where other search categories are listed – one of which is “hannaford breach.” A search on that term leads to some 303,000 results.

How long will it take for that search term to disappear? (I just added to it, unfortunately). Much longer than a newspaper, and more accessible to anyone with a computer, or access to one. Some search engines save and cache search results, as well. What about the Wayback Machine, where you search 55 billion web pages that go back to 1996?

The length of time a negative perception can remain in the public consciousness seems to me to be much longer with the advent of search engines. In the same way that you can “google” someone, you can also “google” companies. Customers complain online and that gets cached, too.

A poor reputation leads to a “negative perception.” If customers and regulators have a “negative perception,” you will see fewer of the former and more of the latter. Not a good long-term business plan!

The folks from Barracuda Labs have issued a midyear report with some riveting data about the connection between Twitter and Google as venues for malware. You can see the summary and download the report here.

It was fascinating reading their assessment of search engine malware as well as Twitter use and crime rate.

Did you know that only 28.87 percent of Twitter users are actual Twitter users? The rest appear to be categories of Twitter “users” that are actually IDs for business, fan clubs,political and social announcements. The higher the tweets, w/friends and followers, the higher the likelihood of scammers. (This being a very loose interpretation on my part. You should really read the report.)

Where do Twitter and Google tie together? Google acquires Tweets on average of 1.2 days, while the other search engines do not capture the Tweets until an average of four days.

So a bad guy using Twitter to “announce” his malware delivery website (freewaresoft.info, for example) will see his tweet appear on Google much more quickly that any other search engine.

An excellent article written by Woody Leonhard over on windowssecrets.com, analyzes the “Classic Version” and new beta version of Microsoft’s (“Johnny-come-lately” social networking product) Windows Live. He demonstrates in very detailed fashion that it is impossible to turn off “third party tattling.”

Using Woody’s example, if I have a conversation with Mr. B on Messenger, he involuntarily becomes my “friend.” (When did “friending” become a verb?) If I then have a conversation with Mr. C, Mr B is notified that Mr. C and I are now “friends.”

The article walks us through how many ways Woody tried to disable this feature, including contacting Microsoft, to turn this “it’s not a bug it’s a feature” function OFF. He’s far from a technical dummy, and he had absolutely no success.

Everybody in my “Friends” list now will know the next person I talk to on Messenger. Anyone I use Messenger with. In effect, Messenger notifies everyone else I’ve sent a message to when I communicate with a new person.

Why should I want everyone I’ve ever communicated with via Messenger to know when I communicate via Messenger to someone new? I can’t imagine.

About This Blog

Are IT Engineers and IT Auditors natural enemies? Having worked on both sides of the fence, I have a unique understanding of the common ground of these disciplines. It all comes down to competence. Can you say SAS 70, (ooops, SSAE16), PCI, SOX404, Digital Forensics, Pentesting ...Geek?